ISA 62443-3-3 – Abstract

International Society of Automation – ISA 62443-3-3

ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems. For purposes of our review, the most relevant standard is featured below: ISA-62443-3-3 Security for industrial automation and control systems Part 3-3: System security requirements and security levels.

What is in the standard

This standard addresses the issue of security for industrial automation and control systems (IACS), and outlines security requirements for control systems while assigning systems different security levels. Given that control systems are increasingly interconnected with non IACS (OT) networks – the increased connectivities introduce greater risk for cyber attack against control system hardware and software. These vulnerabilities could lead to health, safety and environmental consequences. The cyber security approach for IACS needs to consider functional requirements, risk assessments and operational issues. IACS security goals are different from IT security goals: IACS security measures must prevent the loss of essential services and emergencies. IT is more focused on protecting information rathar than human lives and physical assets.

The main objective of ISA 62443 series is to provide a framework that addresses security vulnerabilities in IACS and apply the necessary defensive mitigations. The intended audience is the IACS communities including asset owners, system integrators, product suppliers, service providers and compliance authorities. The goal is to define a common set of requirements to reach heightened security levels. There are seven foundational requirements for control systems: identification and suthentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Security measures applied to these requirements shall not cause loss of protection, loss of control or loss of view.

Relationship to Unidirectional Gateways
The standard mentions unidirectional gateways four times when prescribing security measures for restricted data flow, zone boundary protection, malicious code protection and denial of service protection. The standard recommends unidirectional gateways for networks controling the most important and most securitized assets within IACS. The standards also recommends segmenting networks in control system networks from non-control system networks to reduce exposure to threats to control system reliability.

The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. This standard recommends that networks protecting the most critical assets be identified as such and be protected by the most stringent methods, one of which being unidirectional gateways.